IMPORTANT:If you have installed a previous version of the Administration Console or the Identity Server on a machine that does not have at least 1 GB (Linux) or 1.2 GB (Windows) of memory, the upgrade to SP3 fails. The installation script checks for available memory and exits the upgrade if the machine does not have the minimum required memory.

IMPORTANT:After upgrading the Linux Access Gateway appliance to the Novell Access Manager 3.1 SP3, Session Stickiness is disabled by default for all the services. For instructions, see Session Stickiness Upgrade Issue in 3.1 SP3.

2.1.2 Installation Instructions

For installation instructions for the Access Manager Administration Console, the Identity Server, the Access Gateway Appliance, the Access Gateway Service, and the SSL VPN server, see the Novell Access Manager Installation Guide.

2.1.3 Verifying Version Numbers Before Upgrading

If you are upgrading from Access Manager 3.0, all components must be first upgraded to Access Manager 3.1 SP2 before upgrading to Access Manager 3.1 SP3.

2.4 Installing the High-Bandwidth SSL VPN Server

The key for the high-bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high-bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high-bandwidth version at no extra cost.

After you have obtained authorization for the high-bandwidth version, log in to the Novell Customer Center and follow the link that allows you to download the high-bandwidth key.

3.0 Bugs Fixed in Access Manager 3.1 SP3

3.1 Administration Console

Fixed an issue where unauthorized users could upload arbitary files without authentication on Windows Administration Console.

It is possible for an anonymous user to to use external scripts to upload arbitrary files without authentication on the Administration Console Windows platform.This issue is caused by the way the iManager server handles the path separators on Windows. This issue is not visible on the Administration Console Linux platform.

Fixed an issue with Administration Console XML validation errors.

Fixed an issue with Administration Console backup/restore by changing the value of the ambkup.sh file.

Fixed an issue that caused an Install error to be displayed when upgrading the Administration Console on the Windows platform.

Fixed an issue with password validation of the Novell Access Manager Administration Console, which was not starting after an SP2 upgrade. If users provide a wrong password for the Administration Console during the upgrade, it prompts for the correct password a maximum of three times and then the script terminates.

Fixed an issue with using the NSS library based on a CERT-In Advisory CIAD-2010-25 vulnerability. The Novell Access Manager has been updated with JDK 1.6.0_22-1 to resolve the issue.

Fixed an issue with Apache Tomcat transfer that resulted in an encoding header vulnerability. The Novell Access Manager Tomcat version 5.5.30 resolved this vulnerability issue.

Fixed an issue with the backup of the Administration Console configuration in Access Manager 3.1 SP2 IR1 on Windows 2008 R2 by adding a command to delete the backup file in a data backup action.

Fixed an issue that caused Access Managr SP3 upgrade to break the identity provider management through the user interface.

3.2 Identity Server

Fixed an issue with the Identity Servers Java process, which was displaying 6000% utilization every one or two days and forcing a reboot.

Roles in an assertion are now found properly in the Identity Provider instead of resulting in a 403 Forbidden error.

Fixed an issue with a custom LDAP server.

Fixed an issue with the Web.xml init parameter, which can be added to disable the question about whether a user consents to federate with a service provider.

Fixed an issue with an incorrect SAML AuthnResponse, which caused Identity Provider failure at user login.

Fixed an issue with Identity Provider session failover when there is no Access Gateway available in the setup.

Fixed an issue with passing query parameters while calling /nesp/app/plogout.

Fixed an issue with X509 CRL checks, which were failing because of the anonymous bind syntax.

The Identity Server now successfully re-imports after an upgrade.

Fixed a bug with SAML NMAS methods so the administrator can now install the SAML method to the secondary server by using command line instructions on SLES11 eDirectory to support libraries.

Access Manager now works in the NAT environment.

Fixed an issue with SAML AuthnRequest including certain types that were causing AuthnContextClassRef to return an invalid authentication type.

Fixed an issue with SAML 2.0 integration that required assertion time to be valid for 90 secs.

Fixed a stability issue that was caused because of SSL VPN upgrade to SP2.

Policy information can now be retrieved after upgrading from 3.1.1 to 3.1.2.

The Access Gateway Identity Injection Policy now works as expected.

Fixed the looping login issue.

Fixed the issue in which the IDP portal page displayed when the intersite transfer URL was accessed with a specific contact.

3.3 Access Gateway Service

Fixed an issue with updating individual cluster members on an Access Gateway Service cluster.

Fixed an issue with downloads through the Linux Access Gateway slow down or freeze or result into broken files.

Enabled the rewrite inbound query string data to fix an issue with the rewriter rules that was creating loops when used in path-based multi-homing proxy services.

Fixed an issue with the Access Gateway Appliance crashing in the rewriter by changing the configuration. The rewriter configuration now works as expected with vmc restarts that are related to the Purge Cache command.

The Access Gateway Appliance is now adding a port to the host header in a Web server request.

Fixed an issue with Patch.pm errors while updating the Access Gateway Appliance patch channel using the SMT server.

Fixed an issue with the SLES 11 Access Gateway Appliance boot process which was delayed on initializing Network Interfaces reporting that was waiting for mandatory devices.

Fixed an issue with static routing entries which were not applied after the Access Gateway Appliance reboot. Based on the device manager configurations, every apply overwrites the configurations and you can add the /chroot/lag/opt/novell/bin/postapply.sh command to your requirements.

Changing authorization policies that are running on the Access Gateway Appliance now displays an alert for updating the Access Gateway Appliance.

Fixed an issue with error -649 when the server ran out of memory after creating 100+ roles. This issue is resolved by adding a schema and modifying the build.xml file.

All authorization policies are now applied to all the cluster members in an Appliance Gateway cluster.

Fixed an issue with passing query parameters while calling /nesp/app/plogout to logoutSuccess.jsp

Increased the number of IP addresses that can be assigned to the Access Gateway Appliance from 100 to 500.

Identity Injection now happens for requests to public resources after a soft time out with the Access Gateway Appliance.

Applying changes is now faster with the Access Gateway Appliance because an issue with restarting the loopback interface has been fixed.

Fixed an issue with /var/novell/.Passwdmgmt touch file. The Access Gateway Appliance no longer uses an old form fill policy cache even after changing the password at the password management service.

Fixed a DNS mismatch on the Access Gateway Appliance.

Fixed the form fill passed/failed event ID in Sentinel Log Manager.

Modified the rewriter configuration so the Access Gateway Appliance no longer crashes the rewriter multiple times a day.

Created a new PKCS#12 / KMO object that stores the trust chain and includes only the Entrust Cross Certificate, so the Access Gateway can provide cross-domain certificates that are available in a certificate root chain.].

Fixed an issue with Disabled the Session stickiness option so the failover policies are exercised properly on the Access Gateway Appliance when accessing protected resource from different clients.

Enhanced the style sheet to fix an issue with the non-redirected login enabled features

3.4 SSL VPN

Fixed an issue with the Internet Explorer security updates by manually entering the registry sub key.

Fixed an issue with SSL VPN authentication configuration settings by enhancing the stylesheet.

4.0 Known Issues in Access Manager 3.1 SP3

4.1 The Access Gateway Service Reimport Screen on SLES 11 Displays Only the 127.0.0.2 Address

The ./conf/reimport_ags.sh script imports the Access Gateway device to the device manager. In this process, the script displays only the 127.0.0.2 IP address instead of displaying the Access Gateway device static IP, so the import of device to device manager fails.

To work around this issue, modify the file /etc/hosts to have the host entry with actual IP address come before the entry associated with the IP address 127.0.0.2. This should be done before running the import.

4.2 The Brokering OR Condition Rules Are Not Updated

When you initially use the Brokering tab to create rules for role conditions first time, the rules display correctly. However, if you modify the existing role with OR conditions, it is not updated or displayed correctly.

To work around this issue, delete existing role condition and re-create a new role condition.

Sometimes when the naudit service is stopped by using /etc/init.d/novell-naudit stop command, other important services such as Tomcat and JCC also stop, which causes interruption of services.

To work around this issue, manually restart the Tomcat and JCC services.

4.4 Upgrading NTPD Running on SLES 10 and SLES 11

A Nessus scan against Access Manager components installed on SLES 10 and SLES 11 reports that the version of ntpd running on these hosts have a denial of service vulnerability.

To work around this issue, upgrade ntpd to 4.2.4p8 or later.

NOTE:Ntpd version 4.2.0a is used on SLES 10 and ntpd version 4.2.4p6 is used on SLES 11.

4.5 The Access Gateway Service Performance Drops by 90% When the Audit Server Is Not Reachable

In the Access Gateway service, caching is disabled by default. When the Sentinel Log Manager is down, the logging API tries to connect to it for each request.

To work around this issue, do one of the following:

Enable the Access Gateway service caching by changing the <param name="EnableCaching" value="false"/> to <param name="EnableCaching" value="true"/> in the /etc/opt/novell/amlogging/config/log4j.xml file.

Force the Sentinel Log Manager audit server to cache all events by setting the LogForceCaching=Y in the /etc/logevent.conf file.

4.6 Enabling the Include the Session Timeout Attribute in the Assertion Results in Error 300101032

If you enable the Include the Session Timeout Attribute in the Assertion option under the Authentication Response tab of the Federation Protocol, the assertion fails because the AuthnInstant and SessionNotOnOrAfter values are the same.

Currently, the Include the Session Timeout Attribute in the Assertion option does not work as desired.

4.7 Logging Out from the Target SP Randomly Gives a Null Pointer Exception

The exception is seen when the Allow multiple browser session logout option is enabled and the protocols are SAML 1.1 and Liberty.

4.8 The SP Brokering Functionality Does Not Work with Shibboleth IDP as the Origin IDP

If you try to access the Brokering URL after configuring an SP Brokering group with the Shibboleth Identity Provider, it fails to access the target application.

4.9 Do Not Apply Configuration Changes Immediately After the Purge Cache Command When the High Availability Feature is Enabled

After issuing the purge cache command, wait for at least 30 seconds to apply the configuration changes. If you apply the configuration changes immediately after issuing the purge cache command, both actions are applied at the same time to the ics_dyn process, which might cause ics_dyn to go to the defunct state.

If the ics_dyn process enters the defunct state, restart novell-vmc to have all the three ics_dync processes up and running.

The Administration Console upgrade is successful, but an error message is logged in the upgr_edir.log file.

It is safe to ignore the error message.

4.11 J2EE Agents Deny New Authentication Because of Low System Memory

New authentications are denied because of low system memory. To work around this issue, add memory to the machine or click the Update from server option for the respective agent until the threshold value reaches zero.

4.12 Error while Downloading Logs through the Administration Console on Windows

Downloading logs through the Administration Console displays the following error message:

"There were logs that failed to download."

To work around this issue, specify the correct log file name from the UI, then download it from the Admininstration Console.

If you have two contracts, and the Overwrite Real User option is enabled for one of them, the first user authentication does not overwrite the second user authentication. It displays the following error message:

The installation completes successfully without errors. When you restart the system, the Tomcat service fails to start. If only the Administration Console is installed, no logs are generated. If the Identity Server is installed, the jakarta_service_aaammdd.log file reports errors.

To work around this issue,

Start Tomcat in both the Administration Console and the Identity Server installation.

Change the decimal value of the keys to 512 from 1024. This allows the Tomcat service to successfully start.

Reduce the amount of RAM below 4 GB, then restart the server.

This allows JCC to start successfully. If Tomcat is already started, the registration process automatically displays the Identity Servers in the Admin Console.

4.15 The Applet and ActiveX Versions Do Not Match the Build Number

It is safe to ignore the different version numbers.

4.16 On Windows, openVPN Fails to Download the Traffic Policies to a Destination Having a Subnet Mask

This issue occurs only when a traffic policy has a destination with a subnet mask. If the traffic policy has only one host and no destination with a subnet mask, it works as expected. This issue is not observed with the default policies.

This issue has not been observed while using Java.

4.17 The SSL VPN Causes a Windows Explorer Crash in Kiosk Mode

On Windows XP, the SSL VPN client works properly in Enterprise mode, but crashes Windows Explorer using ActiveX.

If you restore/downgrade the Windows XP client to Windows XP SP3, the SSL VPN client works properly in Kiosk mode.

You cannot perform any operation on Lotus iNotes through the multiple Access Gateways when path-based multihoming is enabled with the remove path option. The following error message is displayed:

"Ä problem has occured which may have caused the current operation to fail."

These operations work properly in domain-based and path-based multihoming.

4.21 Service Unavailability Caused by a SLES 11 Issue

Because of an issue, the operating system returns the 27.0.0.2 entry when the hostname is resolved. This causes the 127.0.0.2 to be the default address of the listener when the device is added to the cluster.

To workaround this issue:

Go to the proxy service page. Change the listening IP address to the other cluster member, then select the correct IP address again.

Click Update to save the changes.

Verify the correct address and add the device to the cluster.

IMPORTANT:Do not refer to the deployment senarios in the context sensitive help available with the Access Manager 3.1.3 build. Refer to this information in the Identity Server Guide.

5.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.